Security web site creation solution based on NT/2000

Source: Internet
Author: User
Tags ftp site website server pcanywhere
Web sites created with NT (2000) account for a large proportion of all websites, but nt security issues have always been prominent, this makes every NT-based website feel like a thin ice. However, Microsoft does not have a clear and resolute solution, but only launches patches one by one, the security descriptions of NT in various security documents are fragmented and give people the feeling that they are at a loss. As a result, some network administrators simply do not take any measures, some are busy with a variety of patch programs, and some think everything is done after the firewall is installed. This situation directly leads to uneven NT Security of a large number of websites. Only a few nt websites have high security, and most websites have poor security. To this end, rising is determined to collect and sort out the main nt vulnerabilities. At the same time, rising company strives to find a solution to establish a secure website with NT, allows you to use NT (2000) to create a web site with peace of mind.
Solution: (Note: This solution is mainly used to set up NT and 2000 Server Security for web sites. It is not suitable for servers in the LAN .)

1. installation:

Whether it is NT or 2000, hard disk partitions are NTFS partitions;
Note:
(1) NTFS provides more security control functions than fat partitions. You can set different access permissions for different folders to improve security.
(2) It is recommended that you install all the partitions in NTFS at a time, instead of installing the partitions as fat and then converting them into NTFS partitions. If SP5 and SP6 are installed, the conversion may fail, even system crashes.
(3) there is a potential danger to install NTFS partitions. At present, most anti-virus software does not provide detection and removal of the NTFS partition virus after a floppy disk is started, in this way, once a virus is detected in the system and the system cannot be started normally, the consequences are serious. Therefore, we recommend that you do a good job of anti-virus at ordinary times.

Only one operating system is installed;
NOTE: If two or more operating systems are installed, hackers will be given the opportunity to use the attack to restart the system to another operating system (or familiar operating system) without security settings ), and then destroy it.

Install it into an independent domain controller (stand alone), select a working group member, and do not select a domain;
Note: The primary domain controller (PDC) is a method for managing multiple online machines in the LAN squadron. It is used for website servers to contain security risks, attackers may exploit the vulnerability in the domain to attack the website server.

Separate the partition where the operating system file is located from the partition where the Web data, including other applications, is located. It is recommended that you do not use the default system directory during installation, for example, change \ WINNT to another directory;
Note: hackers may exploit web site vulnerabilities to obtain the operating system's execution permissions on certain operating system programs, resulting in greater damage.

Install the latest OS patch. nt is currently SP6 and 2000 is SP2. If the patch is installed in NT, in the future, if you want to install a new windows program from the NT disc, You need to reinstall the patch. This is not required in section 2000.
Note:

(1) the latest patch indicates that the system has a major vulnerability in the past and cannot be supplemented. servers in the LAN may not be the latest, but the site must install the latest patch, otherwise, hackers may exploit the vulnerability of earlier versions to pose a threat to the system. This is a point that administrators can easily ignore;
(2) SP5 and SP6 installed with NT have a potential threat that the system will not recognize NTFS partitions once the system crashes and reinstalls nt, the reason is that Microsoft has improved NTFS in these two patches. NTFS can only be recognized during Windows 2000 installation, which may cause a lot of trouble. We recommend that you back up data at the same time.
(3) install the service pack on the test machine first to prevent the machine from crashing due to exceptions and back up data.

Do not install software unrelated to the Web site service;
Note: Other applications may have well-known security vulnerabilities.

Ii. nt settings:

Account Policy:
(1) Use as few accounts as possible and use as few accounts as possible to log on;
Note: website accounts are generally used only for system maintenance. Do not use one redundant account, because one account is at risk of being cracked.
(2) In addition to administrator, it is necessary to add an account belonging to the Administrator group;
Note: Accounts in two administrator groups prevent the administrator from returning the password of an account
There is a backup account. In addition, once a hacker breaks an account and changes the password, we also have
Has the opportunity to regain control in the short term.
(3) the permissions of all accounts must be strictly controlled and special permissions should not be granted to the accounts;
(4) Rename the Administrator and change it to a name that is difficult to guess. Other general accounts should also respect
Follow the one principle.
Note: This adds an obstacle to hacker attacks.
(5) disable the Guest account, rename it as a complex name, add a password, and change it from
Delete the guest group;
Note: Some hacking tools take advantage of the vulnerabilities of guest, which can be used to extract accounts from common users.
Go to the Administrator group.
(6) give all user accounts a complex password (the system account is used outside). The password must contain at least 8 characters and contain letters, numbers, and special characters. Do not use familiar words (such as Microsoft), familiar keyboard sequence (such as qwert), and familiar numbers (such as 2000.
Note: passwords are the focus of hacker attacks. Once the passwords are broken, there will be no system security at all. This is often overlooked by many network administrators. According to our tests, the five-digit password with only letters and numbers will be cracked in a few minutes, and the recommended solution is much safer.
(7) The password must be changed on a regular basis (at least once every two weeks) and should be kept in mind. do not record the password anywhere. In addition, if an account is continuously tried during log review, you must change the account (including the user name and password) immediately );
(8) set the number of locks in the account attributes. For example, if the number of failed logon attempts exceeds 5, the account is locked. This can prevent some large-scale logon attempts, and also enable the Administrator to be vigilant against this account.

Unbind NetBIOS from TCP/IP protocol
Note: netbois is an indispensable function in the LAN, but it has become the preferred target for hacker scanning tools on the website server. Method: NT: control panel -- Network -- bind -- NetBIOS interface -- disable 2000: control Panel -- network and dial-up connections -- local network -- properties -- TCP/IP -- properties -- Advanced -- wins -- disable NetBIOS on TCP/IP

Delete all network shared resources
Note: by default, NT and 2000 share a lot of network resources and are useful for network management and network communication in the LAN. It is also a serious security risk on the website server. (Uninstall Microsoft network file and printer sharing ". This option is displayed when you view any connection properties in "network and dial-up connections. Click the Uninstall button to delete the component. The clear file and printer sharing on Microsoft Network check box does not work .)
Method:
(1) NT: management tool-Server Manager-shared directory-stop sharing;
2000: Control Panel-management tools-computing and management-shared folders-stop sharing
However, the above two methods are too troublesome. The administrator must stop each time the server is restarted.
(2) modify the registry:
Run regedit and modify the Registry to add a key under HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ parameters.
Name: AutoShareServer
Type: REG_DWORD
Value: 0
Restart your server and remove the disk partition sharing, but the IPC share still exists. You need to manually delete it after each restart.

Change NTFS security permissions;
Note: by default, all files in NTFS have full control permissions on everyone (everyone), which makes it possible for hackers to add, delete, and execute files as normal users, we recommend that you only grant the read permission to the general user, but only give the Administrator and system full control permissions. However, this may make some normal script programs unexecutable, or some write operations cannot be completed. In this case, you need to change the permission of the folder where these files are located. We recommend that you test the permission on the test machine before making the changes, and then make the changes with caution.

Set the wait time for system startup to 0 seconds. Choose Control Panel> system> Start/close. Then change the default value "30" displayed in the list to "0 ". (Or change the timeout value to 0 in Boot. INI)

Only open necessary ports and close other ports.
Note: by default, when all ports are open to the outside world, hackers will use scanning tools to scan the ports that can be used, which is a serious threat to security.
The following lists some common ports:

Port Protocol Application
21 TCP FTP
25 TCP SMTP
53 TCP DNS
80 tcp http Server
1433 tcp SQL Server
5631 TCP PCAnywhere
5632 UDP PCAnywhere
6 (non-port) IP protocol
8 (non-port) IP protocol
Enhance log review;
Note: logs include any application, system, and security logs in the event viewer, WWW, SMTP, FTP logs, and SQL server logs in IIS, which can show signs of attacks, therefore, checking logs every day is an essential part to ensure system security. Security logs are not recorded by default. You can select an indicator from the domain user manager-rules-audit; the File Audit in NTFS is selected from the resource manager. Note that you only need to select the metrics that you really care about. If you select all the metrics, the number of records is too large, which is not conducive to analysis. Too many system resources are also a waste.

Strengthen data backup;
Note: This is very important. The core of the site is data. Once the data is damaged, the consequences are unimaginable. This is often what hackers really care about. Unfortunately, many network administrators are not doing well in this regard, either incomplete backup or delayed backup. Data backup needs to be carefully planned, and a policy should be developed and tested before implementation. As the website is updated, the backup plan also needs to be constantly adjusted.


Only the TCP/IP protocol is retained. netbeui and IPX/SPX protocols are deleted;
Note: The communication protocol required by the website is only TCP/IP, while netbeui is a protocol that can only be used for LAN. IPX/SPX is a protocol that faces elimination and has no use on the website, instead, it will be used by some hacking tools.

Stop useless services, and retain only the services related to the website and some necessary services on the server.
Note: Some services, such as the RAS Service and Spooler Service, can bring opportunities for hackers. If they are useless, we recommend that you disable them and save some system resources. Note that some services are required by the operating system. You are advised to check the help documentation before stopping the service and perform a test on the testing server.


Hide the last logon user name and modify the Registry winnt4.0:
Add DontDisplayLastUsername to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Winlogon and set the value to 1. In Windows, this item already exists. You only need to change its value to 1.
Note: by default, the username of the Last Logon will appear in the logon box, which provides clues for hackers to guess the password. The best way is to hide the username of the last logon.

Do not use the IP forwarding function. Choose Control Panel> network> protocol> TCP/IP protocol> properties to leave the selection box empty. (NT)
Note: by default, the IP forwarding function of NT is forbidden, but do not enable it. Otherwise, it will be used by hackers to attack other servers.

Install the latest MDAC (http://www.microsoft.com/data/download.htm)
Note: MDAC is a data access component. Generally, database access by programs is successful, but it is also the target of hacker attacks, to prevent vulnerabilities in previous versions from being brought into the upgraded version, we recommend that you uninstall the latest version. Note: before installing the latest version, you are advised to perform a test first, because some data access methods may not be supported in the new version. In this case, you can modify the Registry to file vulnerabilities, see the vulnerability test documentation.
3. IIS settings (including IIS 4.0 and iis5.0)

Only services required in the optoin pack are installed. We recommend that you do not install Index Server, FrontPage Server Extensions, sample WWW site, and other functions (NT ). Make similar settings in Windows 2000.
Note: many security risks in IIS are caused by some other functions. If only one WWW site is used, you need to install necessary services, such as the WWW Service and FTP service, this reduces the chances of hackers exploiting these vulnerabilities.

Stop the default FTP site, default web site, and manage Web site, and create the WWW Service and FTP service under the new directory.
Note: The default website and management web site contain a large number of files with security vulnerabilities, which can easily cause attacks to hackers. For specific vulnerabilities, see the attached security document. Therefore, it must be disabled. At the same time, you should create a service under the new directory, which should never be placed in Inetpub \ wwwroot, preferably in a different partition than it.

Delete unnecessary IIS extension mappings. It is best to remove .idc0000.htr0000.00000000.ida0000.htwapplication ing, .shtml,. SHTM and so on If useless, should also be removed.
Note: The above application ing poses a large number of security risks. Method: NT (same as 2000): Web site -- properties -- home directory -- configuration -- Application ing

After the new Service Pack is installed, the application ing of IIS should be reset.
Note: after a new service pack is installed, some application ing may occur, resulting in security vulnerabilities. This is a point that administrators can easily ignore.

Set the IP address access denied list
NOTE: For the WWW Service, you can reject addresses suspected of website attacks. Especially for the FTP service, if you only upload files from your own company, you can only allow the company's IP address to access and change the FTP service, which greatly improves the security.

Prohibit anonymous access to the FTP service
NOTE: If anonymous access to the FTP service is allowed, the anonymous account may be used to obtain more information, causing harm to the system.

We recommend that you use W3C to expand the log file format and record the customer's IP address, user name, server port, method, Uri root, HTTP status, and user agent every day. (It is recommended that you do not use the default directory. We recommend that you change the log recording path and set the Log Access permission to only allow the Administrator and system to be full control)
Note: As an important measure, we can detect signs of attacks, take preventive measures, and use it as evidence of attacks.

Exercise caution when setting the access permission for the web site directory. Generally, do not grant the directory write or allow directory browsing permissions. Only grant the. asp file directory the script permission instead of the execution permission.
Note: Directory Access Permissions must be carefully set; otherwise, they will be exploited by hackers.
Iv. asp programming security:

Security is not only a matter of network management, but also a programmer must pay attention to some security details to form a good security habit. Otherwise, hackers will be able to take advantage of it. Currently, ASP programs on most websites have such security vulnerabilities. However, if you pay attention to the vulnerabilities when writing programs, you can avoid them.

It is best to encapsulate programs involving user names and passwords on the server side and appear as few as possible in ASP files. The minimum permission should be granted to the user names and passwords in connection with the database.
Note: usernames and passwords are often the most interesting things for hackers. If the source code is seen in some way, the consequences are serious. Therefore, we should minimize the number of times they appear in ASP files. The user name and password can be written in a concealed include file in one location. If you need to connect to a database, you can only grant it the permission to execute the stored procedure. do not grant the user the permission to modify, insert, or delete records directly.

For an ASP page that requires verification, you can trace the file name of the previous page. Only sessions that are transferred from the previous page can read this page.
Note: currently, most ASP programs that need to be verified Add a judgment statement in the header of the page, but this is not enough. hackers may bypass the verification and directly access the site, therefore, it is necessary to track the previous page. For specific vulnerabilities, see the vulnerability documentation.

ASP homepage. inc file Leakage
When the ASP homepage is being created and the final debugging is not completed, some search engines can append it as a search object. If someone uses the search engine to search for these webpages, the file is located, and the detailed location and structure of the database can be viewed in the browser to reveal the complete source code.
Solution: programmers should thoroughly debug the webpage before publishing it. Security experts need to fix ASP files so that external users cannot view them. First, encrypt the. inc file content, and then use the. asp file instead of the. inc file so that users cannot directly view the source code of the file from the browser .. The name of the INC file does not need to use the system default or has a special meaning that is easily guessed by the user, try to use English letters without rules.


Note that some asp editors will automatically back up ASP files and will be downloaded.
In some tools used to edit ASP programs, when an ASP file is created or modified, the editor automatically creates a backup file. For example, ultraedit backs up one file .. bak file. If you have created or modified some files. ASP, the editor automatically generates a file called some. ASP. bak file. If you haven't deleted this Bak file, you can directly download some. ASP. bak file, so some. the source program of ASP will be downloaded.

In ASP programs that process input boxes such as message boards and BBS, it is best to block HTML, JavaScript, and VBScript statements. If there are no special requirements, only letters and numbers are allowed, special characters are blocked. The length of the input characters is also limited. In addition, you must not only check the validity of input on the client, but also perform similar checks in the server program.
Note: The input box is a target used by hackers. They can damage the user client by entering the script language. If the input box involves data query, they will use the special query input to get more database data, or even the whole table. Therefore, the input box must be filtered. However, if you only check the validity of input on the client to improve the efficiency, it may still be bypassed. Therefore, you must perform another check on the server.


This vulnerability prevents access MDB databases from being downloaded.
When using access as the background database, if someone knows or guessed the path and name of the server's access database through various methods, then he can download the ACCESS database file, this is very dangerous.
Solution:
(1) create a complex and unconventional name for your database file name and put it under several directories. For example, if a database stores information about books, do not set up a book. mdb, such as d34ksfslf. mdb, and then put it in. in the/kdslf/i44/studi/directory, it is difficult for hackers to obtain your access database files by means of guesses.
(2) do not write the database name in the program. Some people like to write DSN in a program, such:
Dbpath = server. mappath ("analytic dB. mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & dbpath
If you get the source program, your access database name will be displayed at a glance. Therefore, we recommend that you set the data source in ODBC and write it in the program as follows:
Conn. Open "shujiyuan"
(3) Use Access to encode and encrypt database files. First, choose tools> Security> encryption/Decryption database, and select the database (for example, employer. MDB), and then click OK. Then, the window "Save the database encrypted and saved as: employer1.mdb" appears. Then employer. mdb will be encoded and stored as employer1.mdb ..
Note that the above actions are not to set a password for the database, but to encode the database files to prevent others from using other tools to view the contents of the database files.
Next, we encrypt the database. First, we open the encoded employer1.mdb, and select the "exclusive" mode when opening it. Choose tools> Security> set database password from the menu, and enter the password. In this way, even if someone else gets the employee 1.mdb file, he cannot see the employee 1.mdb without a password.
V. SQL Server Security

SQL Server is the most widely used database system on the NT platform, but its security problems must also be paid attention. Databases often have the most valuable information. Once data is stolen, the consequences are unimaginable.

Update patches in a timely manner.
Note: Like nt, many SQL Server Vulnerabilities are compensated by patches. We recommend that you perform a test on the testing machine before installing the patch, and back up data on the target server in advance.

Give Sa a complex password.
Note: SA has all permissions for SQL Server database operations. Unfortunately, some network administrators are not familiar with the database, and the database creation work is done by the programmers. However, these programmers only pay attention to writing SQL statements, I am not familiar with SQL Server database management, which may result in a blank SA password. This poses a serious threat to database security. At present, there are not a few websites with such risks.

Strictly control the permissions of database users. do not grant users the permission to directly query, modify, insert, or delete tables. You can grant users the permission to access views, and only have the permission to execute the stored procedure.
Note: If a user has direct operation permissions on a table, the data may be damaged.

Formulate complete database backup and recovery policies.
6. PCAnywhere security:

Currently, PCAnywhere is the most popular remote control tool based on NT and 2000. You also need to pay attention to security issues.

We recommend that you use a separate user name and password. It is best to use encryption. Do not use the same username and password as the NT administrator, or use the password integrated with NT.
Note: The pcAnywhere password is the first entry in remote control. If it is the same as that of NT, it will lose the security barrier. After being attacked, there will be no security. If you use a separate password, even if you break through pcAnywhere, NT also has a password barrier.
Install newer versions in time.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.